b'Office of Inspector General\nOffice of Audit\n\n\n\n\n                  Department of Labor Is Refocusing\n                     Efforts to Improve Physical\n                      Security of its Minimum\n                       Essential Infrastructure\n\n\n\n\n                                   Report Number:   23-01-002-07-711\n                                   Date Issued:     July 20, 2001\n\x0c                                                           Table of Contents\n\nExecutive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\nBackground . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\nObjective, Scope, Criteria and Methodology                         ........................................ 4\n\nFinding and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .             5\n       Department Recognizes Identified Deficiencies in Three Key\n         Physical Security Areas and Efforts are Under Way to Improve . . . . . . . . . . . . . . . . . . . . . .                               5\n              Critical Infrastructure Planning is Outdated and Limited . . . . . . . . . . . . . . . . . . . . . . .                            5\n              Identification of Critical Assets is Outdated and Limited . . . . . . . . . . . . . . . . . . . . . . .                           6\n              Vulnerability Assessments are From External Sources . . . . . . . . . . . . . . . . . . . . . . . .                               7\n              Efforts Now Under Way to Improve Focus on Key Physical Security Areas . . . . . . . .                                             9\n\nConclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\n\nRecommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n\nAcronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n\nAppendix A\n\n          Comments from the Assistant Secretary for Administration and Management\n\n\n\n\n                                                                        ii\n\x0cExecutive Summary\n\nThe Office of Inspector General (OIG) audited the Department of Labor\xe2\x80\x99s (DOL) efforts to protect its\nphysical minimum essential infrastructure (MEI) as it relates to Presidential Decision Directive (PDD) 63\nissued May 1998. PDD 63 calls for a national effort to assure security of the Nation\xe2\x80\x99s MEI which\nencompasses those physical and cyber-based systems essential to the minium operations of the economy\nand government. The audit was done in accordance with Government Auditing Standards issued by the\nComptroller General of the United States and the President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE)/\nExecutive Council on Integrity and Efficiency (ECIE) Review Guide Phase III - Planning and\nAssessment Activities for Physical Minimum Essential Infrastructure.\n\nThe Department\xe2\x80\x99s efforts to protect its identified MEI, since implementation of PDD 63, was found to be\noutdated and limited in focus. For example, the Department\xe2\x80\x99s Critical Infrastructure Protection Plan,\n(CIPP) dated June 1999, was not kept current with major revisions to the inventory of critical cyber\nPDD 63 systems and related physical facilities. In addition, the Department relied on assessments and/or\nsurveys conducted by other Federal Government interests, such as the General Services Administration\n(GSA). However, recent efforts by the Department and specific departmental actions taken during OIG\xe2\x80\x99s\naudit fieldwork show that DOL efforts to protect its physical MEI are improving in the three key areas\n(i.e., critical infrastructure planning, identification of critical assets, and vulnerability assessments). The\nDepartment has developed a proactive approach to take specific steps to meet the requirements of\nPDD 63 and improve upon each of the three key areas.\n\nTo ensure the Department is prepared to meet potential threats against its physical MEI and meet the\nrequirements of PDD 63, we recommend that the Assistant Secretary for Administration and\nManagement take the following actions.\n\n1.      Foster an effective working relationship between the Chief Information Officer (CIO) and\n        Business Operations Center to develop and complete a comprehensive CIPP which addresses all\n        of its critical, physical (non-cyber based) MEI including identifying its:\n\n        a.      internal and external critical, physical (non-cyber based) MEI which are vital to the\n                Department\xe2\x80\x99s operations (includes people and facilities) and the methodologies\n                (processes) used to identify the buildings as critical, physical (non-cyber based) MEI of the\n                Department; and\n\n        b.      associated interdependencies.\n\n\n\n\n                                                      1\n\x0c2.      Establish policies and procedures for:\n\n        a.      governing the management and protection of the Department\xe2\x80\x99s MEI;\n\n        b.      evaluating new assets to determine if they need to be included as part of the MEI; and\n\n        c.      conducting periodic updates and evaluations of risk mitigation steps to determine if\n                related policies, procedures and controls require updating.\n\n3.      Establish milestones for incorporating its Critical Infrastructure Protection (CIP) function into its\n        strategic planning and performance measurement frameworks.\n\n4.      Include a reference in the CIPP to the Continuity of Operations Plan (COOP) and/or Continuation\n        of Government (COG) plans as documents for the reestablishment of operations following an\n        attack on its physical structures. Design, develop, and implement these related systems to fully\n        respond to significant infrastructure attacks, while the attack is under way, with the goal to isolate\n        and minimize damage to its MEI.\n\n5.      Conduct vulnerability assessments on all its critical, physical (non-cyber based) MEI for:\n\n        a.      identifying the current level of protection in place for its critical, physical (non-cyber\n                based) MEI and the actions that must be taken before it can achieve a reasonable level of\n                protection for its critical, physical (non-cyber based) MEI;\n\n        b.      prioritizing the threats according to their relative importance;\n\n        c.      identifying its vulnerabilities of its critical, physical (non-cyber based) MEI as it relates to\n                its interdependencies with Federal agencies, state and local government activities and\n                other infrastructure services; and\n\n        d.      develop an implementation plan and mechanism to monitor.\n\n6.      Adopt a multi-year funding plan to address the identified threats and the cost of implementing a\n        multi-year vulnerability redemption plan in its budget submission to the Office of Management and\n        Budget (OMB). Develop an estimate of the replacement costs, planned life-cycle, and potential\n        impact to the Department if the asset is rendered unusable.\n\n                                      ---             ---            ---\n\nBased on discussions with departmental officials, response to the draft report, and receipt of information\non planned corrective actions, the OIG has resolved all of the above recommendations and will continue\nto work closely with your office to bring each to closure.\n\n\n\n                                                       2\n\x0cBackground\n\nPresidential Decision Directive (PDD) 63, issued in May 1998, requires a national effort to assure the\nsecurity of the Nation\xe2\x80\x99s critical infrastructures. Critical infrastructures are those physical and cyber-based\nsystems essential to the minimum operations of the economy and government. Critical infrastructures\ninclude, but are not limited to, telecommunications, banking and finance, energy, transportation, and\nessential government services.\n\nUnder this directive, the United States Government and private business sector partners are required to\ntake all necessary measures to eliminate any significant vulnerabilities to both physical and cyber attacks\non our Nation\xe2\x80\x99s\xe2\x80\x99s critical infrastructures. PDD 63 requires that by May 22, 2003, the United States shall\nhave achieved and shall maintain the ability to protect its critical infrastructures from intentional acts that\nwould significantly diminish the abilities of the:\n\n        \xe2\x80\xa2       Federal Government to perform essential national security missions and to ensure the\n                general public health and safety;\n        \xe2\x80\xa2       state and local governments to maintain order and to deliver minimum essential public\n                services; and\n        \xe2\x80\xa2       private sector to ensure the orderly functioning of the economy and the delivery of\n                essential telecommunications, energy, financial and transportation services.\n\nThe PCIE/ECIE developed a four-phased initiative to determine the magnitude and extent government\nagencies have been addressing the elements of protecting its critical infrastructure. A description of the\nPCIE/ECIE\xe2\x80\x99s approach by review phase is summarized as follows (Phase III is highlighted as it is the\nfocus of this report).\n\nPhase I: Review the adequacy of agency planning and assessment activities for protecting its critical,\ncyber-based infrastructures. Specifically, review the adequacy of agency plans, asset identification efforts,\nand initial vulnerability assessments.\n\nPhase II: Review the adequacy of agency implementation activities for protecting its critical, cyber-based\ninfrastructures. Specifically, review the adequacy of agency activities in the following areas: risk\nmitigation; emergency management; interagency coordination; resource and organizational requirements;\nand recruitment, education and awareness.\n\nPhase III: Review the adequacy of agency planning and assessment activities for protecting its\ncritical, physical (non-cyber-based) infrastructures. Specifically, review the adequacy of agency\nplans, asset identification efforts, and initial vulnerability assessments.\n\nPhase IV: Review the adequacy of agency implementation activities for protecting its critical, physical\n(non-cyber-based infrastructures). Specifically, review the adequacy of agency activities in the following\nareas: risk mitigation; emergency management; interagency coordination; resource and organizational\nrequirements; and recruitment, education and awareness.\n\n\n                                                       3\n\x0cObjective, Scope, Criteria and Methodology\n\nThe overall objective of the OIG was to review the DOL\xe2\x80\x99s efforts to adequately protect its physical MEI.\nThe OIG, through interviews and documentation analysis, assessed the adequacy of the DOL\xe2\x80\x99s planning\nand assessment activities for protecting its critical, physical (non-cyber based) infrastructures.\nSpecifically, this involved the analysis of the adequacy of DOL\xe2\x80\x99s plan, asset identification efforts, and\ninitial vulnerability assessments.\n\nThe scope of the work included DOL MEI as it is related to critical, physical (non-cyber based) MEI as\ndefined by PDD 63 and covered the period of January 8, 2001 through April 5, 2001.\n\nThe audit was done in accordance with Government Auditing Standards issued by the Comptroller\nGeneral of the United States and the PCIE/ECIE Phase III Review Guide dated October 25, 2000. In\naddition, OIG used principal Federal guidelines and provisions issued by the White House, OMB, Critical\nInfrastructure Assurance Office (CIAO), and the PCIE/ECIE, including: PDD 63, White Paper on PDD\n63, the CIAO National Plan for Information Systems Protection and the PCIE/ECIE Schedule of Review\nResults.\n\nThe OIG, through interviews and documentation analysis, assessed the DOL\xe2\x80\x99s planning and assessment\nactivities for protecting its critical, physical (non-cyber based) infrastructures. Specifically, this involved\nthe analysis of the adequacy of DOL\xe2\x80\x99s plan, asset identification efforts, and initial vulnerability\nassessments.\n\n\n\n\n                                                       4\n\x0cFinding and Recommendations\n\nDepartment Recognizes Identified Deficiencies in Three Key Physical Security Areas and Efforts\nare Under Way to Improve\n\nThe information in the Department\xe2\x80\x99s CIPP related to the critical physical MEI is outdated and limited and\nmay result in unknown vulnerabilities due to the deficiencies identified in three key areas:\n\n        \xe2\x80\xa2       Critical Infrastructure Planning\n        \xe2\x80\xa2       Identification of Critical Assets\n        \xe2\x80\xa2       Vulnerability Assessments\n\nThe Department has recognized these deficiencies and has developed a specific proactive approach to\nbring it into compliance with PDD 63 requirements.\n\nCritical Infrastructure Planning is Outdated and Limited - Critical infrastructure planning includes\nthe development and completion of a plan to protect critical, physical infrastructures. Physical security\nrefers to the protection of building sites and equipment from theft, vandalism, natural and man-made\ndisasters and accidental damage. The Department prepared a Critical Infrastructure Protection Plan\n(CIPP) dated June 10, 1999. However, the CIPP\xe2\x80\x99s focus is on the cyber MEI and while subsequent\nchanges occurred to cyber and physical MEI, the CIPP was not correspondingly updated.\n\nOIG\xe2\x80\x99s review determined that the Department did not have a CIPP that was accurate and current. Some\nof the Department\xe2\x80\x99s key activities and efforts toward development of a CIPP that addressed physical\nsecurity are summarized below.\n\n        February 1999 - Department submitted its original CIPP to the CIAO\xe2\x80\x99s Expert Review\n        Team (ERT) for review and comments.\n\n        February 1999 - The ERT provided general and specific comments to the Department on\n        the status of the CIPP. The ERT review contained general and specific comments related\n        to the Department\xe2\x80\x99s CIPP. For example, one general comment for the Department from\n        the ERT stated: \xe2\x80\x9cPages 1, 5 indicate that the CIPP requirements for physical protection\n        have been deferred by GSA. PDD 63 requires that physical protection be addressed in\n        the CIPP.\xe2\x80\x9d The ERT recommended the essential infrastructure (including physical\n        facilities, information systems, and personnel) needed to accomplish those missions, and\n        an analysis and rationale of why the assets are essential to accomplishing critical agency\n        missions be identified.\n\n\n\n\n                                                     5\n\x0c        June 1999 - The Department revised the February 1999 CIPP. OIG\xe2\x80\x99s review of the\n        revised CIPP dated June 1999 determined it included an inventory of the Department\xe2\x80\x99s\n        critical cyber and physical MEI assets. However, there was no evidence or mention in the\n        CIPP of how or what the Department used to identify its critical, physical (non-cyber\n        based) MEI.\n\n        February - April 2001 - The Department informed the OIG during its fieldwork that the\n        Department was in the process of developing a draft CIPP which covers its critical, physical (non-\n        cyber based) MEI and may lead to new policies and procedures for the Department of Labor.\n        During the preparation of this report, the Department provided to the OIG a draft CIPP dated\n        May 11, 2001, in response to their milestone date of May 8, 2001. The final CIPP should\n        include the following:\n\n                \xe2\x80\xa2       procedures for conducting periodic updates to determine if assets need to remain\n                        as Minimum Essential Infrastructure;\n\n                \xe2\x80\xa2       development of mitigation plans for physical critical assets;\n\n                \xe2\x80\xa2       information on physical redemption plans;\n\n                \xe2\x80\xa2       channels of notification to internal and external organizations, including OIG\n                        criminal investigators, FBI and other relevant agencies of an infrastructure attack\n                        or attempts; and\n\n                \xe2\x80\xa2       channels of communications and criteria for reporting and obtaining information\n                        on non-cyber attacks to the FBI\xe2\x80\x99s National Infrastructure Protection Center\n                        (NIPC).\n\nA final CIPP will enable the Department to establish responsibilities and direct specific activities to ensure\nthe protection of its critical, physical (non-cyber based) MEI assets.\n\nIdentification of Critical Assets is Outdated and Limited - Critical infrastructures are systems and\nassets - both physical and cyber - so vital to the Nation that their incapacity or destruction would have a\ndebilitating impact on national security, national economic security, and/or national public health and\nsafety. The Department\xe2\x80\x99s CIPP did not accurately account for the cyber and physical MEI assets as\nrevisions were made to the asset inventories.\n\nOIG\xe2\x80\x99s review of the Department\xe2\x80\x99s June 1999 CIPP determined it included an inventory of its critical cyber\nand physical MEI assets (i.e., 51 cyber MEI assets (12 general support systems, 39 major applications)\nand 73 related physical MEI assets). However, there was no evidence or mention in the CIPP of how or\nwhat the Department used to identify its critical, physical MEI assets. The break down of the physical\nMEI by owners is as follows:\n\n\n\n                                                      6\n\x0c              Physical Inventory      Owner\n                       53             GSA Owned\n                       15             Commercial\n                        1             GSA Owned/Leased\n                        2             DOL Owned\n                        1             National Institute of Occupational Safety and Health\n                        1             Department of Defense\n                       73             Total\n\nThe Department continued to make major revisions after June 1999 to its inventory of critical cyber PDD\n63 systems but did not make corresponding revisions to its related physical facilities nor update the CIPP\naccordingly. In the agency\xe2\x80\x99s status report to the OIG, dated March 30, 2001, it states the inventory of\ncritical physical facilities was developed based on facilities that housed components of the critical cyber-\nbased assets. However, the CIPP did not provide, nor has OIG received, any evidence to indicate the\nDepartment had:\n\n        \xe2\x80\xa2       identified milestones when the identification of its critical, physical (non-cyber based) MEI\n                is to be completed;\n        \xe2\x80\xa2       information on whether the identified critical, physical (non-cyber based) MEI included\n                people and facilities;\n        \xe2\x80\xa2       identified interdependencies for its critical, physical (non-cyber based) MEI; and\n        \xe2\x80\xa2       determined the estimated replacement cost, planned life-cycle, and potential impact to the\n                agency if the asset is rendered unusable.\n\nWithout an accurate identification of these assets in the CIPP, the Department would be unaware of what\nMEI needs protection.\n\nVulnerability Assessments are From External Sources - Vulnerability assessments determine the\nadequacy of security measures, identify security deficiencies, evaluate security alternatives, and verify the\nadequacy of such measures after implementation. Vulnerability assessments can provide the Department\ninformation on where the vulnerabilities exist and aid in the development of remediation plans to correct\nthe identified vulnerabilities. There was no evidence in the CIPP to indicate vulnerability assessments\nwere performed or being scheduled for each of the critical, physical MEI assets, except for continued\nassessments and/or surveys by external Federal Government interests (e.g., GSA).\n\n\n\n\n                                                      7\n\x0cIn discussions with agency representatives, OIG determined external vulnerability assessments and/or\nsurveys have been conducted on the critical, physical MEI. The external vulnerability assessments and/or\nsurveys of Federal buildings had been performed by the Department of Justice (DOJ), GSA, and an\ninvestigation undertaken by the House Subcommittee on Crime.\n\nThe DOL\xe2\x80\x99s key physical security activities have included several physical security reviews and\ninvestigations by the GSA, DOJ, and special interest groups covering the period from 1992 to 2001.\n\nOIG determined, based on the analysis of GSA\xe2\x80\x99s surveys/risk assessments and discussions with\nmanagement staff, the Department has and continues to take steps to upgrade the Frances Perkins\nBuilding (FPB) as recommended by GSA. For example, the Department hired more guards to operate the\nsecurity equipment. However, OIG has not received evidence to indicate the Department has conducted\nany vulnerability assessments and/or surveys on DOL owned and/or leased (commercial) property. The\nspecific locations of these facilities are known to OIG and are not included in this report.\n\nWithout vulnerability assessments and/or surveys on DOL owned and/or leased facilities, the Department\ncannot:\n\n       \xe2\x80\xa2       prepare redemption plans to address the vulnerabilities found during the assessment,\n       \xe2\x80\xa2       determine level of protection currently in place for its physical (non-cyber based) MEI,\n       \xe2\x80\xa2       identify actions that must be taken before it can achieve reasonable level of protection for\n               its physical (non-cyber based) MEI,\n       \xe2\x80\xa2       develop a related implementation plan and mechanism to monitor such implementation,\n       \xe2\x80\xa2       adopt a multi-year funding plan to address the identified threats,\n       \xe2\x80\xa2       reflect the cost of implementing a multi-year vulnerability redemption plan in its budget\n               submission to OMB,\n       \xe2\x80\xa2       prioritize threats according to their relative importance,\n       \xe2\x80\xa2       assess the vulnerability of its physical (non-cyber based) MEI to failures that could result\n               from interdependencies,\n       \xe2\x80\xa2       develop a process to identify and reflect new threats to the Department\xe2\x80\x99s physical (non-\n               cyber based) MEI, and\n       \xe2\x80\xa2       determine if results necessitate revisions to departmental policies that govern the\n               management and protection of the Department\xe2\x80\x99s physical (non-cyber based) MEI.\n\n\n\n\n                                                    8\n\x0cEfforts Now Under Way to Improve Focus on Key Physical Security Areas - In written response to\nOIG\xe2\x80\x99s field work, the Department is taking a proactive approach to address all three key areas of concern\nto ensure protection of its critical, physical (non-cyber based) MEI in the context of PDD 63. This\nproactive approach includes:\n\n       \xe2\x80\xa2       developing a draft CIPP which covers its critical, physical (non-cyber based) MEI for the\n               three key elements of critical infrastructure planning, identification of critical assets, and\n               vulnerability assessments;\n\n       \xe2\x80\xa2       obtaining copies of DOL agencies\xe2\x80\x99 vulnerability assessments performed on each of the\n               critical, physical assets;\n\n       \xe2\x80\xa2       implementing a new policy requiring agencies to provide the DOL Security Office with a\n               copy of the assessments; and\n\n       \xe2\x80\xa2       analyzing and reviewing the vulnerability assessments to make recommendations in areas\n               deemed necessary to achieve an acceptable level of protection for its critical, physical\n               infrastructure assets.\n\nConclusion\n\nWe found the Department\xe2\x80\x99s efforts to protect its identified MEI, since implementation of PDD 63, to be\noutdated and limited in focus. The Department\xe2\x80\x99s past approach to protecting its physical security assets\nhas been to provide levels of protection based on recommendations of other Federal Government interests\nsuch as the GSA and the DOJ. During our audit work, the Department established a proactive approach\nto refocus its efforts through the development or update of its related security planning documents, asset\ninventory, and vulnerability assessments. Upon completion of these efforts, the Department will meet the\nrequirements of PDD 63.\n\n\n\n\n                                                     9\n\x0cRecommendations\n\nTo ensure the Department is prepared to meet potential threats against its physical MEI and meet the\nrequirements of PDD 63, we recommend that the Assistant Secretary for Administration and\nManagement take the following actions.\n\n1.     Foster an effective working relationship between the CIO and Business Operations Center to\n       develop and complete a comprehensive CIPP which addresses all of its critical, physical (non-\n       cyber based) MEI including identifying its:\n\n       a.      internal and external critical, physical (non-cyber based) MEI which are vital to the\n               Department\xe2\x80\x99s operations (includes people and facilities) and the methodologies\n               (processes) used to identify the buildings as critical, physical (non-cyber based) MEI of\n               the Department; and\n\n       b.      associated interdependencies.\n\n2.     Establish policies and procedures for:\n\n       a.      governing the management and protection of the Department\xe2\x80\x99s MEI;\n\n       b.      evaluating new assets to determine if they need to be included as part of the MEI; and\n\n       c.      conducting periodic updates and evaluations of risk mitigation steps to determine if\n               related policies, procedures and controls require updating.\n\n3.     Establish milestones for incorporating its CIP function into its strategic planning and performance\n       measurement frameworks.\n\n4.     Include a reference in the CIPP to the Continuity of Operations Plan (COOP) and/or Continuation\n       of Government (COG) plans as documents for the reestablishment of operations following an\n       attack on its physical structures. Design, develop, and implement these related systems to fully\n       respond to significant infrastructure attacks, while the attack is under way, with the goal to isolate\n       and minimize damage to its MEI.\n\n5.     Conduct vulnerability assessments on all its critical, physical (non-cyber based) MEI for:\n\n       a.      identifying the current level of protection in place for its critical, physical (non-cyber\n               based) MEI and the actions that must be taken before it can achieve a reasonable level of\n               protection for its critical, physical (non-cyber based) MEI;\n\n       b.      prioritizing the threats according to their relative importance;\n\n\n\n                                                    10\n\x0c     c.     identifying its vulnerabilities of its critical, physical (non-cyber based) MEI as it relates to\n            its interdependencies with Federal agencies, state and local government activities and\n            other infrastructure services; and\n\n     d.     develop an implementation plan and mechanism to monitor.\n\n6.   Adopt a multi-year funding plan to address the identified threats and the cost of implementing a\n     multi-year vulnerability redemption plan in its budget submission to OMB. Develop an estimate of\n     the replacement costs, planned life-cycle, and potential impact to the Department if the asset is\n     rendered unusable.\n\n\n\n\n                                                  11\n\x0cAcronyms\n\n     CIAO   Critical Infrastructure Assurance Office\n     CIO    Chief Information Officer\n     CIP    Critical Infrastructure Protection\n     CIPP   Critical Infrastructure Protection Plan\n     COOP   Continuity of Operations Plan\n     COG    Continuation of Government\n     DOJ    Department of Justice\n     DOL    Department of Labor\n     ERT    Expert Review Team\n     FPB    Frances Perkins Building\n     GSA    General Services Administration\n     MEI    Minimum essential infrastructure\n     MSHA   Mine Safety and Health Administration\n     OIG    Office of Inspector General\n     OMB    Office of Management and Budget\n     PCIE   President\xe2\x80\x99s Council on Integrity and Efficiency\n     PDD    Presidential Decision Directive\n\n\n\n\n                                        12\n\x0c\x0c'